CVSS: 7.8EPSS: 0%CPEs: 8EXPL: 0CVE-2025-68750 – usb: potential integer overflow in usbg_make_tpg()
https://notcve.org/view.php?id=CVE-2025-68750
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: potential integer overflow in usbg_make_tpg() The variable tpgt in usbg_make_tpg() is defined as unsigned long and is assigned to tpgt->tport_tpgt, which is defined as u16. This may cause an integer overflow when tpgt is greater than USHRT_MAX (65535). I haven't tried to trigger it myself, but it is possible to trigger it by calling usbg_make_tpg() with a large value for tpgt. I modified the type of tpgt to match tpgt->tport_tpgt and a... • https://git.kernel.org/stable/c/0861b9cb2ff519b7c5a3b1dd52a343e18c4efb24 •
CVSS: 6.3EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54160 – firmware: arm_sdei: Fix sleep from invalid context BUG
https://notcve.org/view.php?id=CVE-2023-54160
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: firmware: arm_sdei: Fix sleep from invalid context BUG Running a preempt-rt (v6.2-rc3-rt1) based kernel on an Ampere Altra triggers: BUG: sleeping function called from invalid context at kernel/locking/spinlock_rt.c:46 in_atomic(): 0, irqs_disabled(): 128, non_block: 0, pid: 24, name: cpuhp/0 preempt_count: 0, expected: 0 RCU nest depth: 0, expected: 0 3 locks held by cpuhp/0/24: #0: ffffda30217c70d0 (cpu_hotplug_lock){++++}-{0:0}, at: cpuh... • https://git.kernel.org/stable/c/59842a9ba27d5390ae5bf3233a92cad3a26d495c •
CVSS: 4.9EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54159 – usb: mtu3: fix kernel panic at qmu transfer done irq handler
https://notcve.org/view.php?id=CVE-2023-54159
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: usb: mtu3: fix kernel panic at qmu transfer done irq handler When handle qmu transfer irq, it will unlock @mtu->lock before give back request, if another thread handle disconnect event at the same time, and try to disable ep, it may lock @mtu->lock and free qmu ring, then qmu irq hanlder may get a NULL gpd, avoid the KE by checking gpd's value before handling it. e.g. qmu done irq on cpu0 thread running on cpu1 qmu_done_tx() handle gpd [0] ... • https://git.kernel.org/stable/c/48e0d3735aa557a8adaf94632ca3cf78798e8505 •
CVSS: 7.8EPSS: 0%CPEs: 7EXPL: 0CVE-2023-54158 – btrfs: don't free qgroup space unless specified
https://notcve.org/view.php?id=CVE-2023-54158
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: btrfs: don't free qgroup space unless specified Boris noticed in his simple quotas testing that he was getting a leak with Sweet Tea's change to subvol create that stopped doing a transaction commit. This was just a side effect of that change. In the delayed inode code we have an optimization that will free extra reservations if we think we can pack a dir item into an already modified leaf. Previously this wouldn't be triggered in the subvo... • https://git.kernel.org/stable/c/1e05bf5e80bb1161b7294c9ce5292b26232ab853 •
CVSS: 6.9EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54157 – binder: fix UAF of alloc->vma in race with munmap()
https://notcve.org/view.php?id=CVE-2023-54157
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: binder: fix UAF of alloc->vma in race with munmap() [ cmllamas: clean forward port from commit 015ac18be7de ("binder: fix UAF of alloc->vma in race with munmap()") in 5.10 stable. It is needed in mainline after the revert of commit a43cfc87caaf ("android: binder: stop saving a pointer to the VMA") as pointed out by Liam. The commit log and tags have been tweaked to reflect this. ] In commit 720c24192404 ("ANDROID: binder: change down_write ... • https://git.kernel.org/stable/c/dd2283f2605e3b3e9c61bcae844b34f2afa4813f •
CVSS: 5.5EPSS: 0%CPEs: 6EXPL: 0CVE-2023-54156 – sfc: fix crash when reading stats while NIC is resetting
https://notcve.org/view.php?id=CVE-2023-54156
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: sfc: fix crash when reading stats while NIC is resetting efx_net_stats() (.ndo_get_stats64) can be called during an ethtool selftest, during which time nic_data->mc_stats is NULL as the NIC has been fini'd. In this case do not attempt to fetch the latest stats from the hardware, else we will crash on a NULL dereference: BUG: kernel NULL pointer dereference, address: 0000000000000038 RIP efx_nic_update_stats abridged calltrace: efx_ef10_upda... • https://git.kernel.org/stable/c/d3142c193dca9a2f6878f4128ce1aaf221bb3f99 •
CVSS: 5.6EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54155 – net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail()
https://notcve.org/view.php?id=CVE-2023-54155
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: net: core: remove unnecessary frame_sz check in bpf_xdp_adjust_tail() Syzkaller reported the following issue: ======================================= Too BIG xdp->frame_sz = 131072 WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 ____bpf_xdp_adjust_tail net/core/filter.c:4121 [inline] WARNING: CPU: 0 PID: 5020 at net/core/filter.c:4121 bpf_xdp_adjust_tail+0x466/0xa10 net/core/filter.c:4103 ... Call Trace:
CVSS: 5.6EPSS: 0%CPEs: 5EXPL: 0CVE-2023-54154 – scsi: target: core: Fix target_cmd_counter leak
https://notcve.org/view.php?id=CVE-2023-54154
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: scsi: target: core: Fix target_cmd_counter leak The target_cmd_counter struct allocated via target_alloc_cmd_counter() is never freed, resulting in leaks across various transport types, e.g.: unreferenced object 0xffff88801f920120 (size 96): comm "sh", pid 102, jiffies 4294892535 (age 713.412s) hex dump (first 32 bytes): 07 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 ................ 00 00 00 00 00 00 00 00 38 01 92 1f 80 88 ff ff ........... • https://git.kernel.org/stable/c/76b77646f17118f5babe93c032e6b7a53bbde3b9 •
CVSS: 5.5EPSS: 0%CPEs: 8EXPL: 0CVE-2023-54153 – ext4: turn quotas off if mount failed after enabling quotas
https://notcve.org/view.php?id=CVE-2023-54153
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: ext4: turn quotas off if mount failed after enabling quotas Yi found during a review of the patch "ext4: don't BUG on inconsistent journal feature" that when ext4_mark_recovery_complete() returns an error value, the error handling path does not turn off the enabled quotas, which triggers the following kmemleak: ================================================================ unreferenced object 0xffff8cf68678e7c0 (size 64): comm "mount", pi... • https://git.kernel.org/stable/c/11215630aada28307ba555a43138db6ac54fa825 •
CVSS: 5.5EPSS: 0%CPEs: 4EXPL: 0CVE-2023-54152 – can: j1939: prevent deadlock by moving j1939_sk_errqueue()
https://notcve.org/view.php?id=CVE-2023-54152
24 Dec 2025 — In the Linux kernel, the following vulnerability has been resolved: can: j1939: prevent deadlock by moving j1939_sk_errqueue() This commit addresses a deadlock situation that can occur in certain scenarios, such as when running data TP/ETP transfer and subscribing to the error queue while receiving a net down event. The deadlock involves locks in the following order: 3 j1939_session_list_lock -> active_session_list_lock j1939_session_activate ... j1939_sk_queue_activate_next -> sk_session_queue_lock ... j19... • https://git.kernel.org/stable/c/5b9272e93f2efe3f6cda60cc2c26817b2ce49386 •